...
|
...
|
@@ -68,6 +68,13 @@ Time: 0.024 sec (0 m 0 s)
|
68
|
68
|
them automatically loaded every time clamscan/clamd starts just copy them
|
69
|
69
|
to the local virus database directory.
|
70
|
70
|
|
|
71
|
+ \subsection{MD5, PE section based}
|
|
72
|
+ You can create an MD5 signature for a specific section in a PE file.
|
|
73
|
+ Such signatures are stored in .mdb files in the following format:
|
|
74
|
+ \begin{verbatim}
|
|
75
|
+PESectionSize:MD5:MalwareName
|
|
76
|
+ \end{verbatim}
|
|
77
|
+
|
71
|
78
|
\subsection{Hexadecimal signatures}
|
72
|
79
|
ClamAV keeps viral fragments in hexadecimal format. If you don't know how
|
73
|
80
|
to get a proper signature please try the MD5 method or submit your sample
|
...
|
...
|
@@ -175,17 +182,34 @@ virname:encrypted:filename:normal size:csize:crc32:cmethod:fileno:max depth
|
175
|
175
|
\begin{itemize}
|
176
|
176
|
\item \emph{Worm} for Internet worms
|
177
|
177
|
\item \emph{Trojan} for backdoor programs
|
|
178
|
+ \item \emph{Adware} for adware
|
|
179
|
+ \item \emph{Flooder} for flooders
|
|
180
|
+ \item \emph{HTML} for HTML files
|
|
181
|
+ \item \emph{Email} for email messages
|
|
182
|
+ \item \emph{IRC} for IRC trojans
|
178
|
183
|
\item \emph{JS} for Java Script malware
|
|
184
|
+ \item \emph{PHP} for PHP malware
|
|
185
|
+ \item \emph{ASP} for ASP malware
|
179
|
186
|
\item \emph{VBS} for VBS malware
|
|
187
|
+ \item \emph{BAT} for BAT malware
|
180
|
188
|
\item \emph{W97M}, \emph{W2000M} for Word macro viruses
|
181
|
189
|
\item \emph{X97M}, \emph{X2000M} for Excel macro viruses
|
182
|
190
|
\item \emph{O97M}, \emph{O2000M} for general Office macro viruses
|
183
|
191
|
\item \emph{DoS} for Denial of Service attack software
|
|
192
|
+ \item \emph{DOS} for old DOS malware
|
184
|
193
|
\item \emph{Exploit} for popular exploits
|
185
|
194
|
\item \emph{VirTool} for virus construction kits
|
186
|
195
|
\item \emph{Dialer} for dialers
|
187
|
196
|
\item \emph{Joke} for hoaxes
|
188
|
197
|
\end{itemize}
|
|
198
|
+ Important rules of the naming convention:
|
|
199
|
+ \begin{itemize}
|
|
200
|
+ \item always use a -zippwd postfix in the malware name for signatures of type zmd,
|
|
201
|
+ \item always use a -rarpwd postfix in the malware name for signatures
|
|
202
|
+ of type rmd,
|
|
203
|
+ \item only use alphanumeric characters, dash (-), dot (.), underscores
|
|
204
|
+ (\_) in malware names, never use space, apostrophe or quote mark.
|
|
205
|
+ \end{itemize}
|
189
|
206
|
|
190
|
207
|
\section{Special files}
|
191
|
208
|
|
...
|
...
|
@@ -214,67 +238,6 @@ LibClamAV debug: FSG: found old EP @1554
|
214
|
214
|
LibClamAV debug: FSG: Successfully decompressed
|
215
|
215
|
LibClamAV debug: UPX/FSG: Decompressed data saved in /tmp/clamav-4eba73ff4050a26
|
216
|
216
|
\end{verbatim}
|
217
|
|
- And create a signature for \verb+/tmp/clamav-4eba73ff4050a26+
|
218
|
|
-
|
219
|
|
- \section{Building CVD files - ClamAV maintainers only}
|
220
|
|
- Run freshclam to check you're using the latest databases. Next enter
|
221
|
|
- some \textbf{empty} temporary directory and execute the following command:
|
222
|
|
- \begin{verbatim}
|
223
|
|
-sigtool --unpack-current daily.cvd
|
224
|
|
- \end{verbatim}
|
225
|
|
- This will unpack all databases from the current \emph{daily.cvd} database.
|
226
|
|
- Add signatures to appropriate files and build the final CVD:
|
227
|
|
- \begin{verbatim}
|
228
|
|
-sigtool --build daily.cvd --server SIGNING_SERVER
|
229
|
|
- \end{verbatim}
|
230
|
|
- where SIGNING\_SERVER is one of the ClamAV Signing Servers you have
|
231
|
|
- access to. This command will automatically generate binary database with
|
232
|
|
- a digital signature.
|
233
|
|
- \begin{verbatim}
|
234
|
|
-LibClamAV debug: Loading databases from .
|
235
|
|
-LibClamAV debug: Loading ./daily.db
|
236
|
|
-LibClamAV debug: Loading ./daily.hdb
|
237
|
|
-LibClamAV debug: Initializing trie.
|
238
|
|
-Database properly parsed.
|
239
|
|
-Signatures: 183
|
240
|
|
-COPYING
|
241
|
|
-tar: main.db: Cannot stat: No such file or directory
|
242
|
|
-tar: main.hdb: Cannot stat: No such file or directory
|
243
|
|
-daily.db
|
244
|
|
-daily.hdb
|
245
|
|
-tar: Notes: Cannot stat: No such file or directory
|
246
|
|
-tar: Error exit delayed from previous errors
|
247
|
|
-Builder id: tkojm
|
248
|
|
-Password:
|
249
|
|
-Signature received (length = 171).
|
250
|
|
-Database daily.cvd created.
|
251
|
|
- \end{verbatim}
|
252
|
|
- Don't worry about "No such file or directory" \emph{tar} errors. Finally,
|
253
|
|
- you should verify the new database with:
|
254
|
|
- \begin{verbatim}
|
255
|
|
-zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd
|
256
|
|
-Build time: 26 Aug 2004 22-41 +0200
|
257
|
|
-Version: 473
|
258
|
|
-# of signatures: 183
|
259
|
|
-Functionality level: 2
|
260
|
|
-Builder: tkojm
|
261
|
|
-MD5: 0e89235392c1a1142dda0d022f218903
|
262
|
|
-Digital signature: bWBCx3KO7rkdOQo+zTIZXKhGNvmEz5n/fTUsCEVrdFwhWr2gf5MjsmO7nF/4BdRV/qwXEHJtp0i/2g6awhqUFaO73bbH5f+zmuHy8h0wqYv6jhlIdeA8uh6DGQYBj7azyS9O/0+bXEvU1SutpL3rW8ireFky6zXKv5BVbhnZj9j
|
263
|
|
-Verification OK.
|
264
|
|
- \end{verbatim}
|
265
|
|
- Now you must update the main rsync server:
|
266
|
|
- {\small
|
267
|
|
- \begin{verbatim}
|
268
|
|
-rsync -tcz --stats --progress -e ssh daily.cvd clamupload@rsync1.clamav.net:public_html/
|
269
|
|
-ssh rsync1.clamav.net -i ~/.ssh/id_rsa -l clamavdb sleep 1
|
270
|
|
- \end{verbatim}}
|
271
|
|
- Please consult \cite{mirroring} for more information. After an update please
|
272
|
|
- send a summary to \url{clamav-virusdb@lists.clamav.net}. Thanks!
|
273
|
|
-
|
274
|
|
- \begin{thebibliography}{99}
|
275
|
|
- \bibitem{mirroring}
|
276
|
|
- Luca Gibelli, \emph{Mirroring the Virus Database}\\
|
277
|
|
- \url{http://www.clamav.net/doc/mirrors}
|
278
|
|
- \end{thebibliography}
|
|
217
|
+ and then create a signature for \verb+/tmp/clamav-4eba73ff4050a26+
|
279
|
218
|
|
280
|
219
|
\end{document}
|